[CentOS] Not - Re: New DNS server up and running

James Hogarth james.hogarth at gmail.com
Thu Feb 21 12:14:57 UTC 2013


> Great.  I have to make notes on how to test about selinux reporting.
>
>
>
audit2allow is useful to generate custom modules etc too - just don't be to
blind in using them ;)

other useful things are semange boolean and so on - centos has a good wiki
page on selinux


> I assume that 'getenforce permissive' is a command I can use to change
> selinux behaviour without rebooting?  I basically ran out of time
> yesterday, and had to get the network up and running.
>
> Though over on the bind-user list, I was showed that the meaning of
> allow-query has changed and that might be my problem.
>
>
Apologies on the typo - I was in a hurry ... getenforce will tell you the
current status of selinux... setenforce to change it

If you aren't placing things in odd locations (and expecially if not using
chroot) I'd expect no selinux errors though and more likely a bind config
error


>
> Nasty DNS attack on static port 53.  Now bind will select 4096 high ports
> to use as its source port on responses.  So the query comes in with a
> destination port of 53 with the client using port 53 (as I recall), but the
> response goes back with bind using a random source port, not 53.  I think I
> have Kaminsky's (sp!) spoofing attack properly summarized.  Cricket Liu was
> in town last week for a company dog-n-pony and he covered this.  This kind
> of thing I deal with regularly in my job, but right now I am tired and
> probably confusing this attack with two others that bind has recently had
> to dodge around.
>
>
I know what you're talking about now... needed coffee to remind myself...
but unless you are limiting iptables on the OUTPUT chain it shouldn't be an
issue...



More information about the CentOS mailing list